I don't know who this will help but I put together a page listing JavaScript APIs that can break Shadow DOM encapsulation :) github.com/masatokinugawa…

Another challenge that I prepared for justCTF2025 was about a neat Prototype Pollution variation that bypasses commong mitigation strategies and which isn't commonly known, even in the infosec community! Checkout the writeup! gist.github.com/terjanq/fa6f19…

Since Apple doesn’t care, I don’t care either. Here are the details of an address bar spoof vulnerability in Safari on Mac using custom cursor overlap - Apple said it’s *not* a vulnerability. github.com/RenwaX23/X/blo…

Jesus defeated death so you can live.

Forcing Quirks Mode with PHP Warnings + CSS Exfiltration without Network Requests blog.arkark.dev/2025/09/08/asi… Published author writeup for pure-leak in ASIS CTF Quals 2025!

Such a beautiful technique. I don't know how I didn't think of this - very obvious in retrospect.

Justin Gardner Wasn't this already documented? portswigger.net/research/bypas…

XSS-Leak: Leaking Cross-Origin Redirects, Subdomains and More! You can read the article here: blog.babelo.xyz/posts/cross-si…

HackerOne is now banning people without explanation or providing how the terms and conditions were violated. While other platforms are advancing, H1 revolutionary new vision is to track hackers on social media, make assumptions and ban them without a real proof.

A mini research I did about escalating an XSS using 414 and 431 server size limit errors, and how I escalated an XSS to account takeover using a Salesforce URL Limit Gadget on a Ecommerce website. Hope you enjoy it castilho.sh/scream-until-e…

Wow - just wow. Ken Gannon (@yogehi) didn't just exploit the #Samsung Galaxy S25: he had it tell a joke, exfiltrate a picture, & open a shell. All that from a single click. He's off to the disclosure room with all the details. You can watch the attempt at youtube.com/live/LuzHcXruJ…

TR.MRG HTTP Request Smuggling? author writeup for Trailing Danger - m0lecon 2026 teaser CTF 👉github.com/sebastianosrt/… I'll share more about trailer fields parsing vulnerabilities soon.

I found out that you can use "ftp::" to convert a limited Dom Clobering situation into a full CSPT. Then, while talking about it with m0z, he found that we can also use "https::" This can be used to prevent URL parsing of href, allowing us to hit other endpoints

JavaScript’s lexer ambiguity in action. Might fool you and some weak parsers. Demo: jsfiddle.net/yo0a24dj/

Infobahn CTF starts in 24 hours! Prizes worth over $3000! Challenges across Web, Reverse Engineering, Cryptography, Binary Exploitation, Jail, and more. Sponsored by Google Cloud, OffSec, OtterSec, RET2 Systems, Cybersharing, and Rapid Risk Radar. 2025.infobahnc.tf

This guy voted in Delhi, Haryana and Bihar elections. Is Election Commission of India sleeping?

STTF XSleak + dns-prefetch to get past CSP alfinj0se.github.io/posts/backdoor/ Writeup for go touch grass BackDoor CTF 2025

I am excited to release the extended version of the sixth article in the Exploiting Reversing Series (ERS). Titled "A Deep Dive Into Exploiting a Minifilter Driver (N-day)" this 293-page deep dive offers a comprehensive roadmap for vulnerability exploitation:

if you’re doing mobile security research and adding your Caido/Burp host + port into iOS proxy settings, you’re probably missing traffic:

Happy Resurrection Day! Matthew 28:6 CSB He is not here. For He has risen, just as He said. Come and see the place where He lay.